b"            OFFICE OF\n     THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n  THE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION\n    SECURITY MANAGEMENT ACT OF 2002\n           FOR FISCAL YEAR 2012\n\n    November 2012       A-14-12-12120\n\n\n\n\n AUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n   \xef\x82\xa6 Conduct and supervise independent and objective audits and\n       investigations relating to agency programs and operations.\n   \xef\x82\xa6   Promote economy, effectiveness, and efficiency within the agency.\n   \xef\x82\xa6   Prevent and detect fraud, waste, and abuse in agency programs and\n       operations.\n   \xef\x82\xa6   Review and make recommendations regarding existing and proposed\n       legislation and regulations relating to agency programs and operations.\n   \xef\x82\xa6   Keep the agency head and the Congress fully and currently informed of\n       problems in agency programs and operations.\n\n   To ensure objectivity, the IG Act empowers the IG with:\n\n   \xef\x82\xa6 Independence to determine what reviews to perform.\n   \xef\x82\xa6 Access to all information necessary for the reviews.\n   \xef\x82\xa6 Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0cMEMORANDUM\n\nDate:      November 15, 2012                                                            Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   The Social Security Administration\xe2\x80\x99s Compliance with the Federal Information Security\n           Management Act of 2002 for Fiscal Year 2012 (A-14-12-12120)\n\n\n           OBJECTIVE\n           Our objective was to determine whether the Social Security Administration\xe2\x80\x99s (SSA)\n           overall information security program and practices were effective and consistent with\n           the requirements of the Federal Information Security Management Act of 2002 (FISMA)\n           as defined by the Department of Homeland Security (DHS).\n\n           BACKGROUND\n           FISMA provides the framework for securing the Government\xe2\x80\x99s information and\n           information systems. All agencies must implement the FISMA requirements and report\n           annually to the Office of Management and Budget (OMB), DHS, and Congress on the\n           adequacy and effectiveness of their security programs. FISMA requires that each\n           agency develop, document, and implement an agency-wide information security\n           program. 1 Each agency head is responsible for providing information security\n           protections commensurate with the risk and magnitude of the harm resulting from the\n           unauthorized access, use, disclosure, disruption, modification, or destruction of agency\n           information and information systems. 2\n\n           FISMA also requires that each agency\xe2\x80\x99s Inspector General (IG), or an independent\n           external auditor, perform an independent evaluation of the agency\xe2\x80\x99s information security\n           program and practices to determine their effectiveness. 3 Each evaluation shall\n\n           \xe2\x80\xa2     test the effectiveness of information security policies, procedures, and practices of a\n                 representative subset of the agency\xe2\x80\x99s information systems and\n\n           1\n               Pub. L. No. 107-347, Title III, Section 301 \xc2\xa7 3544(b); 44 U.S.C. \xc2\xa7 3544(b).\n           2\n               Pub. L. No. 107-347, Title III, Section 301 \xc2\xa7 3544(a)(1)(A); 44 U.S.C. \xc2\xa7 3544(a)(1)(A).\n           3\n               Pub. L. No. 107-347, Title III, Section 301 \xc2\xa7\xc2\xa7 3545(a)(1) and (b)(1); 44 U.S.C. \xc2\xa7\xc2\xa7 3545(a)(1) and (b)(1).\n\x0cPage 2 - The Commissioner\n\n\n\xe2\x80\xa2     assess compliance with FISMA requirements, and related information security\n      policies, procedures, standards, and guidelines. 4\n\nDHS is responsible for overseeing compliance with FISMA and developing analyses to\nassist in OMB\xe2\x80\x99s annual report to Congress on Federal agencies\xe2\x80\x99 compliance with\nFISMA. 5 To fulfill its responsibilities, DHS provided annual FISMA reporting instructions\nfor Federal agencies, including IGs. Specifically for IGs, DHS defined 11 FISMA\nsecurity program components. For each component, IGs must respond to the following\nareas.\n\n1. Has the Agency established an enterprise-wide program consistent with FISMA\n   requirements, OMB policy, and applicable National Institute of Standards and\n   Technology (NIST) guidance? If yes, besides the improvement opportunities that\n   may have been identified by the IG, does the program include the attributes\n   identified by DHS?\n\n2. Provide any additional information on the effectiveness of the program.\n\nSCOPE AND METHODOLOGY\nWe contracted with Grant Thornton, LLP, (GT) to audit SSA\xe2\x80\x99s Fiscal Year (FY) 2012\nfinancial statements. 6 Because of the extensive internal control system review\ncompleted as part of that work, some of our FISMA requirements were incorporated into\nGT\xe2\x80\x99s financial statement audit information technology (IT)-related work. This evaluation\nincluded the Federal Information System Controls Audit Manual level reviews of SSA\xe2\x80\x99s\nfinancial-related information systems. GT also performed an \xe2\x80\x9cagreed-upon procedures\xe2\x80\x9d\nengagement using FISMA, OMB, DHS, NIST guidance, the Federal Information System\nControls Audit Manual, and other relevant security laws and regulations. We evaluated\nGT\xe2\x80\x99s work and performed additional FISMA testing for this review.\n\nTo assess whether SSA met FISMA requirements as defined by DHS, we used DHS\nguidance 7 to test the compliance and effectiveness of agencies\xe2\x80\x99 security policies,\nprocedures and practices. For the 11 FISMA security program component metrics and\nour responses to those metrics, see Appendix B, Office of the Inspector General\nResponse to FY 2012 Inspector General Federal Information Security Management Act\nReporting Metrics.\n\n4\n    Pub. L. No. 107-347, Title III, Section 301 \xc2\xa7\xc2\xa7 3545(a)(2)(A) and (B); 44 U.S.C. \xc2\xa7\xc2\xa7 3545(a)(2)(A) and (B).\n5\n OMB, M-10-28, Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the\nPresident and the Department of Homeland Security (DHS), July 6, 2010, page 2.\n6\n Office of the Inspector General Contract Number GS-23F-8196H, December 3, 2009. The FY 2012\noption was exercised in December 2011.\n7\n DHS, FY 2012 Inspector General Federal Information Security Management Act Reporting Metrics,\nMarch 6, 2012.\n\x0cPage 3 - The Commissioner\n\n\nThis report informs Congress and the public about SSA\xe2\x80\x99s security performance and\nfulfills the OMB and DHS requirements under FISMA to submit an annual report to\nCongress. It provides an assessment of SSA\xe2\x80\x99s information security strengths and\nweaknesses. See Appendix C for more details on our scope and methodology.\n\nRESULTS OF REVIEW\nFor FY 2012, we determined that SSA had established an overall information security\nprogram and practices that were generally consistent with FISMA requirements. 8\nHowever, weaknesses in some of the program\xe2\x80\x99s components limited the overall\nprogram\xe2\x80\x99s effectiveness to adequately protect the Agency\xe2\x80\x99s information and information\nsystems. Specifically, GT identified a material weakness over internal controls in its\nIndependent Auditor\xe2\x80\x99s Report. We also identified additional weaknesses. Based on our\nevaluation of GT\xe2\x80\x99s work and our work, we believe these weaknesses constituted a\nsignificant deficiency under FISMA.\n\nFINANCIAL STATEMENT AUDIT MATERIAL WEAKNESS\n\nIn FY 2012, GT identified deficiencies in information security controls that, when\ncombined, it considered a material weakness. A material weakness for financial\nstatement purposes is a deficiency, or combination of deficiencies, in internal control,\nsuch that there is a reasonable possibility that a material misstatement of the entity's\nfinancial statements will not be prevented, or detected and corrected timely. 9 As a\nresult, for FY 2012, GT reported a material weakness in SSA\xe2\x80\x99s internal control over its\nfinancial statements.\n\nGT stated that SSA had attempted to strengthen controls over its systems and address\nthe outstanding significant deficiency in information security. However, GT\xe2\x80\x99s FY 2012\ntesting identified the following security weaknesses that, when aggregated, met the\ndefinition of a material weakness for financial statement purposes.\n\n\xe2\x80\xa2   Lack of monitoring and policy implementation related to the configuration and\n    information content of SSA\xe2\x80\x99s Intranet Webpages. The misconfiguration of some of\n    SSA systems allowed GT to obtain security information and personally identifiable\n\n\n\n8\n Our conclusion was based on our assessment of SSA\xe2\x80\x99s compliance with DHS\xe2\x80\x99 FY 2012 Inspector\nGeneral Federal Information Security Management Act Reporting Metrics, March 6, 2012. As indicated in\nAppendix B, we determined that SSA established all 11 security program components, which were\ngenerally consistent with Federal guidance. The 11 components established by SSA included the vast\nmajority of attributes identified by DHS. However, we also noted improvement opportunities for many\nattributes.\n9\n  The definition of a material weakness for financial statement internal control is provided by the\nStatement on Auditing Standards Number 115, Communicating Internal Control-Related Matters\nIdentified in an Audit.\n\x0cPage 4 - The Commissioner\n\n\n      information (PII) 10 from SSA\xe2\x80\x99s Intranet. This issue increases the risk that SSA\xe2\x80\x99s\n      sensitive information could be used inappropriately.\n\n\xe2\x80\xa2     Lack of controls related to the identification and monitoring of high-risk programs\n      operating on the Agency\xe2\x80\x99s mainframe. 11 SSA did not conduct impact assessments\n      to determine whether significant changes to its mainframe programs created any\n      security implications. In addition, SSA management did not have a comprehensive\n      process to periodically review privileged programs added to SSA\xe2\x80\x99s mainframe\n      environment. Privileged programs are considered high-risk because they could\n      bypass mainframe system security.\n\n\xe2\x80\xa2     Insufficient vulnerability testing conducted by the Agency to identify critical\n      weaknesses in its IT environment. For the second year in a row, GT was able to\n      gain access to restricted information and take control of SSA\xe2\x80\x99s Windows network\n      during internal penetration testing. 12 GT reported that management\xe2\x80\x99s failure to\n      conduct robust enterprise-focused penetration testing increases the risk that\n      unauthorized access may occur and go undetected, allowing privileged information\n      or critical infrastructure to be compromised.\n\n\xe2\x80\xa2     Lack of a comprehensive profile and access recertification program. GT found that\n      SSA developed identity and access management policies and procedures to\n      periodically reassess the content of security access profiles. 13 However, the Agency\n      had not consistently implemented these policies and procedures. Further, GT\xe2\x80\x99s\n      testing identified personnel with inappropriate access.\n\n\xe2\x80\xa2     Lack of appropriate controls to prevent unauthorized access to the Agency\xe2\x80\x99s\n      production environment. Agency management stated that a control was in place to\n      allow programmers highly monitored and time-limited access to production data.\n      However, GT identified software programmers with access to SSA\xe2\x80\x99s production data\n      that bypassed this control. SSA management indicated this issue resulted from\n\n10\n   OMB, M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the\nCost for Security in Agency Information Technology Investments, July 2006, page 1, defines PII as any\ninformation about an individual maintained by an agency, including, but not limited to, education, financial\ntransactions, medical history, and criminal or employment history and information that can be used to\ndistinguish or trace an individual's identity, such as their name, Social Security number, date and place of\nbirth, mother's maiden name, biometric records, etc., including any other personal information that is\nlinked or linkable to an individual.\n11\n   International Business Machines Corp. defines a mainframe as computers that can support thousands\nof applications and input/output devices to simultaneously serve thousands of users. A mainframe is the\ncentral data repository, or hub, in a corporation's data processing center, linked to users through less\npowerful devices such as workstations or terminals.\n12\n     GT used a different method to take control of SSA\xe2\x80\x99s Windows network this year.\n13\n  A profile is one of SSA\xe2\x80\x99s primary access control mechanisms. Each profile contains a unique mix of\nfacilities and transactions that determines what access to systems resources a specific position needs.\n\x0cPage 5 - The Commissioner\n\n\n     human error, and that no current control would have identified this error in a timely\n     manner. In addition, GT identified instances where this control was used, but\n     access was not timely approved and reviewed. Despite these weaknesses, GT did\n     not find any unauthorized changes to the Agency\xe2\x80\x99s data.\n\nWEAKNESSES IN SOME COMPENSATING CONTROLS\n\nGT discussed the security weaknesses it identified with SSA management and staff.\nAgency management stated that compensating controls existed to mitigate the risks\ncreated by the security weaknesses. However, GT\xe2\x80\x99s FY 2012 financial statement audit\ntesting and our audits identified weaknesses in some of the compensating controls\nidentified by SSA. This included control deficiencies in the Agency\xe2\x80\x99s change control\nprocess and physical and logical access controls. For example, GT noted weaknesses\nover the approval and documentation for changes to SSA software applications.\nFurther, we found that a contractor employee maintained physical access to SSA\nfacilities for approximately 1 year after the contractor employee was deemed unsuitable\nfor employment. 14 In addition, we found that a disability determination services\xe2\x80\x99\nemployee\xe2\x80\x99s system user identification was used after the employee was terminated. 15\n\nADDITIONAL SECURITY WEAKNESSES\n\nIn addition to the security weaknesses identified above, our FY 2012 FISMA testing\nidentified some security weaknesses related to key components of SSA\xe2\x80\x99s information\nsecurity program. These key components include Continuous Monitoring, Configuration\nManagement, Identity and Access Management, Risk Management, and Contractor\nSystems Oversight. In prior years, we have also identified weaknesses in these areas.\nWe highlight some key weaknesses below.\n\n\xe2\x80\xa2    Continuous Monitoring: 16 The Agency had not fully implemented its continuous\n     monitoring strategy. For example, SSA had not implemented compliance monitoring\n     tools for all of its platforms. 17 Further, SSA needed to assess and validate the\n     technical capacity of each continuous monitoring tool to meet NIST requirements.\n     Finally, SSA\xe2\x80\x99s continuous monitoring activities did not provide the near real-time\n     information required for Agency officials to proactively manage the Agency\xe2\x80\x99s\n     information security program in accordance with OMB and NIST requirements.\n\n14\n  The contractor employee was immediately removed from the contract after the appropriate SSA\npersonnel were notified.\n15\n  Management confirmed that no transactions were executed with the terminated employee\xe2\x80\x99s user\nidentification after termination.\n16\n   Continuous Monitoring maintains ongoing awareness of information security, vulnerabilities, and threats\nto support organizational risk management decisions.\n17\n  A platform is a hardware and/or software architecture that serves as a foundation or base. An\noperating system, like Windows, is an example of a platform.\n\x0cPage 6 - The Commissioner\n\n\n\xe2\x80\xa2    Configuration Management: 18 SSA used risk models for its platforms to prescribe\n     security settings and manage risk. However, SSA had not documented risk models\n     for all of its platforms. Further, the Agency did not perform vulnerability scans of all\n     platforms to determine whether prescribed security settings were implemented.\n     Moreover, the vulnerability scans and penetration testing performed by GT identified\n     a number of security weaknesses.\n\n\xe2\x80\xa2    Identity and Access Management: 19 SSA scanned its network to identify connected\n     hardware, but as of the date of this review, it had been unable to categorize all types\n     of hardware and their associated operating systems.\n\n\xe2\x80\xa2    Risk Management: 20 SSA had weaknesses in its security governance structure.\n     The Agency\xe2\x80\x99s central technical security component did not have control over\n     regional office Intranet Websites. In addition, SSA lacked a centralized process to\n     authorize hardware devices before they were connected to the Agency\xe2\x80\x99s network.\n\n\xe2\x80\xa2    Contractor Systems Oversight: 21 SSA did not maintain a complete inventory of all\n     contractor systems and services and did not ensure all contractor systems and\n     services met Federal security requirements. Specifically, we identified seven\n     systems and services that met the FISMA criteria for contractor systems but either\n\n18\n  From a security point of view, Configuration Management provides assurance that the system in\noperation is the correct version (configuration) of the system and that any changes to be made are\nreviewed for security implications.\n19\n  Identity and Access Management includes policies to control user access to information system\nobjects, including devices, programs, and files. The identification of devices with Internet Protocol\naddresses attached to an agency\xe2\x80\x99s network is included under the Identity and Access Management\nsection of DHS\xe2\x80\x99 FY 2012 Inspector General Federal Information Security Management Act Reporting\nMetrics, March 6, 2012.\n20\n    \xe2\x80\x9cRisk Management is the process of managing risks to organizational operations (including mission,\nfunctions, image, reputation), organizational assets, individuals, other organizations, and the Nation,\nresulting from the operation of an information system, and includes: (i) the conduct of a risk assessment;\n(ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for\nthe continuous monitoring of the security state of the information system.\xe2\x80\x9d NIST Special Publication 800-\n53, Rev. 3, page B-11.\n21\n   Agencies are responsible for ensuring that appropriate security controls are in place over contractor\nsystems used or operated by contractors or other entities (such as other Federal or state agencies) on\nbehalf of an agency. We used OMB M-12-20, FY 2012 Reporting Instructions for the Federal Information\nSecurity Management Act and Agency Privacy Management, Frequently Asked Questions,\nSeptember 27, 2012, pages 15 to 16, to determine the purview of the Agency\xe2\x80\x99s FISMA responsibilities for\ncontractor systems. SSA disagreed with our interpretation. However, this OMB guidance explicitly\nprovides that \xe2\x80\x9cBecause FISMA applies to both information and information systems used by the agency,\ncontractors, and other organizations and sources, it has somewhat broader applicability than prior\nsecurity law. That is, agency information security programs apply to all organizations (sources) which\nprocess, store, or transmit Federal information- or which operate, use, or have access to Federal\ninformation systems (whether automated or manual) -on behalf of a Federal agency.\xe2\x80\x9d OMB, M-12-20 at\npage 16.\n\x0cPage 7 - The Commissioner\n\n\n     were not included in the Agency\xe2\x80\x99s systems inventory or were not identified as a\n     contractor system or service, as required by FISMA guidance. Further, some of\n     SSA\xe2\x80\x99s contracts did not include Federal security requirements, as required by\n     FISMA guidance.\n\nFISMA SIGNIFICANT DEFICIENCY\n\nOMB defines a FISMA significant deficiency as \xe2\x80\x9c. . . a weakness in an agency\xe2\x80\x99s overall\ninformation systems security program or management control structure, or within one or\nmore information systems, that significantly restricts the capability of the agency to carry\nout its mission or compromises the security of its information, information\nsystems, personnel, or other resources, operations, or assets. In this context, the\nrisk is great enough that the agency head and outside agencies must be notified and\nimmediate or near-immediate corrective action must be taken.\xe2\x80\x9d 22\n\nSSA administers two of the nation\xe2\x80\x99s largest entitlement programs, the Old-Age,\nSurvivors, and Disability insurance program and the Supplemental Security Income\nprogram. These programs touch the lives of virtually every American. It is imperative\nthat SSA protect these programs by ensuring the safety and security of its information\nsystems and the data contained in them.\n\nBased on our evaluation of the work performed by GT and the results of our additional\nFISMA work, we concluded that the risk and severity of SSA\xe2\x80\x99s information security\nweaknesses were great enough to constitute a significant deficiency under FISMA.\nThese weaknesses could result in losses of confidentiality, integrity, and availability of\nSSA information systems and data. 23 Given the complex systems and magnitude of\nsensitive information housed on SSA\xe2\x80\x99s systems, any loss of confidentiality, integrity, or\navailability of Agency systems or data could have a significant impact on the public and\nthe nation\xe2\x80\x99s economy. For example, during its internal penetration testing, GT was able\nto take control of SSA\xe2\x80\x99s Windows network and obtain many records containing PII. In\naddition, GT noted concerns related to the identification and monitoring of high risk\nprograms operating on the mainframe. Without performing specific assessments of the\nimpact of program changes to the system security framework, there is an increased risk\nthat the security posture and controls may be bypassed or compromised. Finally, GT\nidentified programmers with access to production data that bypassed SSA\xe2\x80\x99s process to\nmonitor and limit such access. Specifically, GT identified programmers with\n\n\n\n22\n  OMB, M-12-20, FY 2012 Reporting Instructions for the Federal Information Security Management Act\nand Agency Privacy Management, Frequently Asked Questions, September 27, 2012, page 26.\n23\n   Confidentiality means preserving authorized restrictions on access and disclosure, including means\nfor protecting personal privacy and proprietary information. Integrity means guarding against improper\ninformation modification or destruction, and includes ensuring information nonrepudiation and\nauthenticity. Availability means ensuring timely and reliable access to and use of information. Pub. L.\nNo. 107-347, Title III, Section 301 \xc2\xa7 3542(b)(1)(A) to (C), 44 U.S.C. \xc2\xa7 3542(b)(1)(A) to (C).\n\x0cPage 8 - The Commissioner\n\n\nunmonitored access to production data for a benefit application. This issue increases\nthe risk that programmers could make unauthorized changes to the production\nenvironment without detection.\n\nThe security deficiencies identified above, when aggregated, created a weakness in\nSSA\xe2\x80\x99s overall information systems security program that, in our opinion, significantly\ncompromised the security of its information and information systems. We also believe\nthat the risk was great enough that the agency head and outside agencies must be\nnotified and immediate or near-immediate corrective action must be taken. 24\n\nUNDERLYING CAUSES FOR SSA\xe2\x80\x99s FINANCIAL STATEMENT AUDIT MATERIAL\nWEAKNESS AND FISMA SIGNIFICANT DEFICIENCY\n\nBased on our testing and evaluation of GT\xe2\x80\x99s work, we believe the following items\ncaused the Agency\xe2\x80\x99s material weakness and FISMA significant deficiency.\n\n1. SSA had not fully implemented a comprehensive and robust continuous monitoring\n   program based on a sound configuration management program. Without a robust\n   continuous monitoring program that includes integrated and operating continuous\n   monitoring tools and the capacity to report SSA\xe2\x80\x99s security state to appropriate\n   Agency officials, the Agency had a limited ability to make timely risk management\n   decisions.\n2. SSA had a decentralized governance structure for IT security. This resulted in a\n   system misconfiguration that enabled GT, without detection, to obtain PII and take\n   control of SSA\xe2\x80\x99s Windows network.\n3. SSA needed to strategically allocate sufficient resources to resolve or prevent high-\n   risk security weaknesses more timely. This includes the use of more effective\n   security testing methods, such as broad penetration testing techniques.\n\nAGENCY EFFORTS TO RESOLVE SECURITY WEAKNESSES\n\nIt should be noted that SSA took action to address some of its security weaknesses\nidentified by GT and us:\n\nLack of monitoring and policy implementation related to the configuration and\ninformation content of SSA\xe2\x80\x99s Intranet Webpages. SSA stated it was conducting a Web\nvulnerability assessment. In addition, the Agency stated it had purchased and was\ndeploying a data loss protection tool.\n\n\n\n\n24\n  Significant deficiencies identified under FISMA must be reported as material weaknesses in the annual\nFederal Managers\xe2\x80\x99 Financial Integrity Act of 1982 report. OMB Circular A-123 Revised, Management\xe2\x80\x99s\nResponsibility for Internal Control, Section IV B, December 21, 2004.\n\x0cPage 9 - The Commissioner\n\n\nLack of controls related to the identification and monitoring of high-risk programs\noperating on the Agency\xe2\x80\x99s mainframe. The Agency removed one high-risk privileged\nprogram identified by GT. Furthermore, SSA stated it was expanding its review process\nto include all mainframe privileged programs.\n\nInsufficient vulnerability testing conducted by the Agency to identify critical weaknesses\nin its IT environment. SSA documentation indicated that over the past 10 years, the\nAgency has performed some penetration testing. Between 2009 and 2011, SSA used\nsome of the funding traditionally used for penetration testing for other information\nsecurity purposes. However, SSA stated that in 2012, it began performing penetration\ntesting with an open and dynamic scope. The Agency hired three contractor employees\nin September 2012 to perform targeted internal penetration testing to identify security\nweaknesses of SSA\xe2\x80\x99s networks.\n\nLack of a comprehensive profile and access recertification program. In FY 2011, SSA\nissued two policies governing security profiles. 25 In addition, the Agency assembled a\nworkgroup to address its access control weaknesses. The workgroup tested a\ncommercial tool to manage the profile review process for SSA employee and contractor\naccess. The Agency began using the tool in FY 2012. SSA planned to remediate some\naccess control issues by fully implementing its profile and access recertification program\nin early FY 2013.\n\nLack of appropriate controls to prevent unauthorized access to the Agency\xe2\x80\x99s production\nenvironment. SSA management stated that the Agency removed the access of the\nprogrammers identified in GT\xe2\x80\x99s testing. Moreover, the Agency stated its triennial access\nrecertification will identify these issues in the future, and SSA was exploring options to\nalert the Agency if programmers gain access to the production environment.\n\nContinuous monitoring strategy not fully implemented. SSA developed a continuous\nmonitoring strategy, but the strategy had not been fully implemented. SSA discussed its\npreliminary plan to implement its continuous monitoring strategy with us. To build upon\nits continuous monitoring strategy, SSA has been evaluating the ability of its continuous\nmonitoring tools to ensure compliance with Federal requirements and Agency policies\nand procedures. Further, SSA management stated that after the continuous monitoring\ntool evaluations are completed, it will have a better idea of the timeframe needed to fully\nimplement its continuous monitoring strategy. The Agency plans to complete the\ncontinuous monitoring tool evaluations by the end of calendar year 2012. Finally, SSA\nis evaluating which security deficiencies identified by GT could be resolved by fully\nimplementing its continuous monitoring strategy.\n\n\n\n\n25\n SSA, Security Profile Administration Processes Final Mainframe Administration Standards,\nMay 10, 2011, and SSA, Security Profile Administration Processes Profile Naming Conventions,\nOctober 28, 2010.\n\x0cPage 10 - The Commissioner\n\n\nCONCLUSION AND RECOMMENDATIONS\nFor FY 2012, we determined that SSA\xe2\x80\x99s overall information security program and\npractices were generally consistent with FISMA requirements. However, weaknesses in\nsome components of the program limited the overall program\xe2\x80\x99s effectiveness to\nadequately protect the Agency\xe2\x80\x99s information and information systems. We noted that\nGT reported a material weakness over SSA\xe2\x80\x99s internal controls for the Agency\xe2\x80\x99s financial\nstatement audit. After considering this material weakness, its underlying causes, and\nthe results of our FISMA-related work, we concluded that the risk and severity of SSA\xe2\x80\x99s\ninformation security weaknesses were great enough to constitute a significant\ndeficiency under FISMA.\n\nSSA needed to effectively protect its mission-critical assets. Without appropriate\nsecurity, the Agency\xe2\x80\x99s systems and the sensitive data they contain are at risk. Some\nweaknesses identified in this report could cause the Agency\xe2\x80\x99s systems and data to lose\nconfidentiality, integrity, and availability to some degree. Given the complex systems\nand magnitude of sensitive information housed on SSA\xe2\x80\x99s systems, any loss of the\nconfidentiality, integrity, or availability of Agency systems or data could have a\nsignificant impact on the public.\n\nTo improve the effectiveness of SSA\xe2\x80\x99s overall information security program and to\naddress the material weakness, GT recommended that SSA management consider\nimplementing:\n\n\xe2\x80\xa2   Monitoring controls designed to identify configurations in the SSA network and\n    systems environment that do not comply with the SSA system configuration policy.\n    In addition, management should consider implementing controls to identify and track\n    content on SSA\xe2\x80\x99s Intranet Webpages that may pose a risk to the security of SSA\n    systems or the confidentiality of SSA data.\n\xe2\x80\xa2   A comprehensive program to identify and monitor high-risk programs operating on\n    the mainframe. Consider including the identification of programs that may pose\n    security risks to the SSA mainframe before they are loaded onto the production\n    environment.\n\xe2\x80\xa2   Comprehensive enterprise-wide security vulnerability testing, including simulated\n    penetration attacks, to identify critical weaknesses in the IT environment that may\n    not be identified by the current control processes.\n\xe2\x80\xa2   A comprehensive profile and access recertification program.\n\xe2\x80\xa2   Additional controls to prevent unauthorized programmer access to the production\n    environment.\n\nWe reiterate GT\xe2\x80\x99s recommendations and believe these recommendations address the\nfinancial statement audit material weakness and FISMA significant deficiency. In\naddition, our prior FISMA reports identified issues related to SSA\xe2\x80\x99s (1) continuous\nmonitoring, (2) configuration management, (3) identity and access management, (4) risk\n\x0cPage 11 - The Commissioner\n\n\nmanagement, and (5) contractor systems oversight. We affirm our prior\nrecommendations in these areas and encourage the Agency to continue implementing\nthem.\n\n\n\n\n                                     Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                      Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Office of the Inspector General Response to FY 2012 Inspector General\n             Federal Information Security Management Act Reporting Metrics\nAPPENDIX C \xe2\x80\x93 Scope and Methodology\nAPPENDIX D \xe2\x80\x93 The Social Security Administration\xe2\x80\x99s Major Systems\nAPPENDIX E \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                               Appendix A\n\nAcronyms\nDHS           Department of Homeland Security\nFISMA         Federal Information Security Management Act of 2002\nFY            Fiscal Year\nGT            Grant Thornton LLP\nIG            Inspector General\nIT            Information Technology\nNIST          National Institute of Standards and Technology\nOMB           Office of Management and Budget\nPII           Personally Identifiable Information\nPub. L. No.   Public Law Number\nSSA           Social Security Administration\nU.S.C.        United States Code\n\x0c                                                                                   Appendix B\n\nOffice of the Inspector General Response to\nFY 2012 Inspector General Federal Information\nSecurity Management Act Reporting Metrics1\n    Section 1: CONTINUOUS MONITORING MANAGEMENT\n\n\n1.1.    Has the Organization established an enterprise-wide continuous\n        monitoring program that assesses the security state of information\n        systems that is consistent with FISMA requirements, OMB policy, and\n        applicable NIST guidelines?\n        Yes\n        If yes, besides the improvement opportunities that may have been\n        identified by the OIG, does the program include the following attributes:\n\n        1.1.1. Documented policies and procedures for continuous monitoring.\n                Yes\n        1.1.2. Documented strategy and plans for continuous monitoring.\n                Yes\n        1.1.3. Ongoing assessments of security controls (system-specific, hybrid,\n               and common) that have been performed based on the approved\n               continuous monitoring plans.\n                Yes\n                Comments: To date, SSA had not fully implemented its continuous\n                monitoring program. For example, the Agency had not developed\n                risk models for some of the hardware and software connected to its\n                network. Therefore, the Agency did not continually monitor these\n                operating system platforms and applications.\n        1.1.4. Provides authorizing officials and other key system officials with\n               security status reports covering updates to security plans and\n               security assessment reports, as well as POA&M additions and\n               updates with the frequency defined in the strategy and/or plans.\n1\n  Department of Homeland Security (DHS), FY 2012 Inspector General Federal Information Security\nManagement Act Reporting Metrics, March 6, 2012. We extracted the DHS metrics as they were written\nin the document without editing, except for the citations to Federal guidance at the end of some metrics\nthat we omitted for consistency.\n\n\n\n\n                                                    B-1\n\x0c             Yes\n             Comments: SSA\xe2\x80\x99s current continuous monitoring could not provide\n             a comprehensive view and near real-time information of the\n             enterprise.\n1.2.   Please provide any additional information on the effectiveness of the\n       Organization\xe2\x80\x99s Continuous Monitoring Management Program that was not\n       noted in the questions above.\n       Comments: SSA did have a continuous monitoring strategy, but it had not\n       been fully implemented. For example, SSA had identified, evaluated, and\n       implemented, some continuous monitoring tools for its operating\n       environment. However, the Agency needed additional time to ensure the\n       continuous monitoring tools were fully operable within its information\n       system environment. Consequently, SSA\xe2\x80\x99s continuous monitoring\n       program could not provide a comprehensive view and near real-time\n       information of the enterprise.\n\n       Weaknesses identified in this area contributed to a financial statement\n       audit material weakness identified by Grant Thornton, LLP (GT). Based on\n       our work and evaluation of GT\xe2\x80\x99s work, we concluded that SSA had a FISMA\n       significant deficiency.\n\n Section 2: CONFIGURATION MANAGEMENT\n\n\n2.1.   Has the Organization established a security configuration management\n       program that is consistent with FISMA requirements, OMB policy, and\n       applicable NIST guidelines?\n       Yes\n       If yes, besides the improvement opportunities that may have been\n       identified by the OIG, does the program include the following attributes:\n\n       2.1.1. Documented policies and procedures for configuration management.\n             Yes\n       2.1.2. Standard baseline configurations defined.\n             Yes\n             Comments: The Agency had established baseline configurations for\n             many, but not all, computer platforms.\n       2.1.3. Assessing for compliance with baseline configurations.\n             Yes\n             Comments: We identified security weaknesses in the configuration\n             settings of some SSA computer platforms. Internal penetration\n\n\n                                         B-2\n\x0c      testers were able to obtain security information and personally\n      identifiable information because some of SSA\xe2\x80\x99s systems were\n      misconfigured. SSA had taken corrective action to address these\n      issues.\n2.1.4. Process for timely, as specified in Organization policy or standards,\n       remediation of scan result deviations.\n      Yes\n2.1.5. For Windows-based components, FDCC/USGCB secure\n       configuration settings fully implemented and any deviations from\n       FDCC/USGCB baseline settings fully documented.\n      Yes\n2.1.6. Documented proposed or actual changes to hardware and software\n       configurations.\n      Yes\n      Comments: SSA monitored the hardware devices connected to its\n      network to determine whether they complied with approved risk\n      models and configuration settings. However, the Agency did not\n      conduct impact assessments to determine the security implications\n      for system changes. In addition, management did not have a\n      formally documented process to periodically review the privileged\n      programs added to the Agency\xe2\x80\x99s mainframe environment to ensure\n      that all privileged programs are approved, cannot be improperly\n      modified, and are safe. We also identified discrepancies in the\n      approval and documentation of changes to SSA applications.\n2.1.7. Process for timely and secure installation of software patches.\n      Yes\n2.1.8. Software assessing (scanning) capabilities are fully implemented.\n      No\n      Comments: The Agency had implemented scanning procedures for\n      some, but not all, platforms. SSA did not have a formal process in\n      place for managing or obtaining a comprehensive list of approved\n      software for all devices. However, the Agency had made efforts to\n      develop this process.\n2.1.9. Configuration-related vulnerabilities, including scan findings, have\n       been remediated in a timely manner, as specified in Organization\n       policy or standards.\n      Yes\n      Comments: Annual vulnerability scans and penetration testing have\n      consistently identified security weaknesses. However, some\n      security weaknesses were fully or partially remediated during the\n\n\n                                   B-3\n\x0c               audit period. Since the Agency does not have risk models for all\n               computer platforms, some configuration-related vulnerabilities went\n               unidentified.\n         2.1.10. Patch management process is fully developed, as specified in\n                Organization policy or standards.\n               Yes\n2.2.     Please provide any additional information on the effectiveness of the\n         Organization\xe2\x80\x99s Configuration Management Program that was not noted in\n         the questions above.\n         Comments: Weaknesses identified in this area contributed to a financial\n         statement audit material weakness identified by GT. Based on our work\n         and evaluation of GT\xe2\x80\x99s work, we concluded that SSA had a FISMA\n         significant deficiency.\n\n Section 3: IDENTITY AND ACCESS MANAGEMENT\n\n\n3.1. Has the Organization established an identity and access management\n    program that is consistent with FISMA requirements, OMB policy, and\n    applicable NIST guidelines and identifies users and network devices?\n       Yes\n       If yes, besides the improvement opportunities that have been identified by the\n       OIG, does the program include the following attributes:\n\n         3.1.1. Documented policies and procedures for account and identity\n                management.\n               Yes\n         3.1.2. Identifies all users, including federal employees, contractors, and\n                others who access Organization systems.\n               Yes\n         3.1.3. Identifies when special access requirements (e.g., multi-factor\n                authentication) are necessary.\n               Yes\n               Comments: We identified programmers with access to production\n               data that bypassed SSA\xe2\x80\x99s process to monitor and limit such access.\n         3.1.4. If multi-factor authentication is in use, it is linked to the\n                Organization\xe2\x80\x99s PIV program where appropriate.\n               Yes\n         3.1.5. Organization has adequately planned for implementation of PIV for\n                logical access in accordance with government policies.\n\n\n                                               B-4\n\x0c      Yes\n3.1.6. Ensures that the users are granted access based on needs and\n       separation of duties principles.\n      Yes\n      Comments: Although SSA had an extensive access control\n      program, internal penetration testers were able to take control of\n      SSA\xe2\x80\x99s Windows network. Testing also identified personnel with\n      inappropriate access and programmers with access to production\n      data that bypassed SSA\xe2\x80\x99s process to monitor and limit such access.\n      The Agency had not consistently implemented policies and\n      procedures to periodically reassess the content of security access\n      profiles. SSA was working to improve its profile and access\n      recertification program and planned for a full implementation in\n      Fiscal Year (FY) 2013.\n3.1.7. Identifies devices with IP addresses that are attached to the network\n       and distinguishes these devices from users. (For example: IP\n       phones, faxes, printers are examples of devices attached to the\n       network that are distinguishable from desktops, laptops or servers\n       that have user accounts)\n      Yes\n      Comments: Although SSA scanned its network to identify hardware\n      devices connected to it, the Agency had been unable to categorize\n      all hardware devices and their associated operating systems\n      connected to its network. Further, SSA did not have an automated\n      capability to determine whether hardware devices connected to its\n      network were authorized.\n3.1.8. Identifies all User and Non-User Accounts (refers to user accounts\n       that are on a system. Examples of non-user accounts are accounts\n       such as an IP that is set up for printing. Data user accounts are\n       created to pull generic information from a database or a\n       guest/anonymous account for generic login purposes that are not\n       associated with a single user or a specific group of users)\n      Yes\n3.1.9. Ensures that accounts are terminated or deactivated once access is\n        no longer required.\n      Yes\n      Comments: Although SSA had policies and procedures to terminate\n      access when it is no longer needed, we identified instances where\n      physical and logical access was not removed timely.\n\n\n\n\n                                   B-5\n\x0c         3.1.10. Identifies and controls use of shared accounts.\n               Yes\n3.2.     Please provide any additional information on the effectiveness of the\n         Organization\xe2\x80\x99s Identity and Access Management Program that was not\n         noted in the questions above.\n         Comments: Weaknesses identified in this area contributed to a financial\n         statement audit material weakness identified by GT. Based on our work\n         and evaluation of GT\xe2\x80\x99s work, we concluded that SSA had a FISMA\n         significant deficiency.\n\n Section 4: INCIDENT RESPONSE AND REPORTING\n\n\n4.1. Has the Organization established an incident response and reporting\n    program that is consistent with FISMA requirements, OMB policy, and\n    applicable NIST guidelines?\n       Yes\n       If yes, besides the improvement opportunities that may have been identified\n       by the OIG, does the program include the following attributes:\n\n         4.1.1. Documented policies and procedures for detecting, responding to\n                and reporting incidents.\n               Yes\n         4.1.2. Comprehensive analysis, validation and documentation of incidents.\n               Yes\n         4.1.3. When applicable, reports to US-CERT within established timeframes.\n               Yes\n         4.1.4. When applicable, reports to law enforcement within established\n                timeframes.\n               Yes\n               Comments: SSA reported incidents to OIG in a timely manner. The\n               Agency did not have an established timeframe for reporting\n               incidents to external law enforcement or the Federal Protective\n               Services. SSA identified incidents reported to external law\n               enforcement or the Federal Protective Services; however, the\n               Agency did not provide police reports for sampled incidents.\n         4.1.5. Responds to and resolves incidents in a timely manner, as specified\n                in Organization policy or standards, to minimize further damage.\n               Yes\n\n\n\n                                           B-6\n\x0c         4.1.6. Is capable of tracking and managing risks in a virtual/cloud\n                environment, if applicable.\n               Yes\n         4.1.7. Is capable of correlating incidents.\n               Yes\n         4.1.8. There is sufficient incident monitoring and detection coverage in\n                accordance with government policies.\n               Yes\n4.2.     Please provide any additional information on the effectiveness of the\n         Organization\xe2\x80\x99s Incident Management Program that was not noted in the\n         questions above.\n         N/A\n\n Section 5: RISK MANAGEMENT\n\n5.1. Has the Organization established a risk management program that is\n    consistent with FISMA requirements, OMB policy, and applicable NIST\n    guidelines?\n       Yes\n       If yes, besides the improvement opportunities that may have been identified\n       by the OIG, does the program include the following attributes:\n\n         5.1.1. Documented and centrally accessible policies and procedures for\n                risk management, including descriptions of the roles and\n                responsibilities of participants in this process.\n               Yes\n         5.1.2. Addresses risk from an organization perspective with the\n                development of a comprehensive governance structure and\n                organization-wide risk management strategy as described in NIST\n                800-37, Rev.1\n               Yes\n               Comments: SSA had a decentralized governance structure for IT\n               security. This resulted in a system misconfiguration going\n               undetected, enabling GT to obtain security and personally\n               identifiable information. In addition, SSA lacked a centralized\n               process to authorize hardware devices before they were connected\n               to the Agency\xe2\x80\x99s network.\n\n\n\n\n                                             B-7\n\x0c 5.1.3. Addresses risk from a mission and business process perspective\n        and is guided by the risk decisions at the organizational perspective,\n        as described in NIST 800-37, Rev.1.\n       Yes\n 5.1.4. Addresses risk from an information system perspective and is\n        guided by the risk decisions at the organizational perspective and\n        the mission and business perspective, as described in NIST 800-37,\n        Rev. 1.\n       Yes\n 5.1.5. Categorizes information systems in accordance with government\n       policies.\n       Yes\n 5.1.6. Selects an appropriately tailored set of baseline security controls.\n       Yes\n 5.1.7. Implements the tailored set of baseline security controls and\n        describes how the controls are employed within the information\n        system and its environment of operation.\n       Yes\n 5.1.8. Assesses the security controls using appropriate assessment\n        procedures to determine the extent to which the controls are\n        implemented correctly, operating as intended, and producing the\n        desired outcome with respect to meeting the security requirements\n        for the system.\n       Yes\n       Comments: Financial statement audit testing found that SSA\xe2\x80\x99s\n       vulnerability testing was insufficient.\n 5.1.9. Authorizes information system operation based on a determination\n        of the risk to organizational operations and assets, individuals, other\n        organizations, and the Nation resulting from the operation of the\n        information system and the decision that this risk is acceptable.\n       Yes\n5.1.10. Ensures information security controls are monitored on an ongoing\n        basis including assessing control effectiveness, documenting\n        changes to the system or its environment of operation, conducting\n        security impact analyses of the associated changes, and reporting\n        the security state of the system to designated organizational\n        officials.\n       Yes\n\n\n\n                                    B-8\n\x0c              Comments: SSA performed security authorizations and annual\n              security testing of selected controls. However, SSA\xe2\x80\x99s continuous\n              monitoring program was not fully implemented. See comment for\n              Metric 1.2.\n       5.1.11. Information system specific risks (tactical), mission/business\n               specific risks and organizational level (strategic) risks are\n               communicated to appropriate levels of the organization.\n              Yes\n       5.1.12. Senior Officials are briefed on threat activity on a regular basis by\n               appropriate personnel. (e.g., CISO).\n              Yes\n       5.1.13. Prescribes the active involvement of information system owners and\n               common control providers, chief information officers, senior\n               information security officers, authorizing officials, and other roles as\n               applicable in the ongoing management of information system-related\n               security risks.\n              Yes\n       5.1.14. Security authorization package contains system security plan,\n               security assessment report, and POA&M in accordance with\n               government policies.\n              Yes\n       5.1.15. Security authorization package contains Accreditation boundaries\n               for Organization information systems defined in accordance with\n               government policies.\n              Yes\n5.2.    Please provide any additional information on the effectiveness of the\n        Organization\xe2\x80\x99s Risk Management Program that was not noted in the\n        questions above.\n        Comments: Weaknesses identified in this area contributed to a financial\n        statement audit material weakness identified by GT. Based on our work\n        and evaluation of GT\xe2\x80\x99s work, we concluded that SSA had a FISMA\n        significant deficiency.\n\n\n\n\n                                            B-9\n\x0c Section 6: SECURITY TRAINING\n\n\n6.1. Has the Organization established a security training program that is\n    consistent with FISMA requirements, OMB policy, and applicable NIST\n    guidelines?\n       Yes\n       If yes, besides the improvement opportunities that may have been identified\n       by the OIG, does the program include the following attributes:\n\n         6.1.1. Documented policies and procedures for security awareness\n                training.\n               Yes\n         6.1.2. Documented policies and procedures for specialized training for\n                users with significant information security responsibilities.\n               Yes\n         6.1.3. Security training content based on the organization and roles, as\n                specified in Organization policy or standards.\n               Yes\n         6.1.4. Identification and tracking of the status of security awareness\n                training for all personnel (including employees, contractors, and\n                other Organization users) with access privileges that require security\n                awareness training.\n               Yes\n         6.1.5. Identification and tracking of the status of specialized training for all\n                personnel (including employees, contractors, and other Organization\n                users) with significant information security responsibilities that\n                require specialized training.\n               Yes\n         6.1.6. Training material for security awareness training contains\n                appropriate content for the Organization.\n               Yes\n6.2.     Please provide any additional information on the effectiveness of the\n         Organization\xe2\x80\x99s Security Training Program that was not noted in the\n         questions above.\n         N/A\n\n\n\n\n                                            B-10\n\x0cSection 7: PLAN OF ACTION & MILESTONES (POA&M)\n\n\n7.1. Has the Organization established a POA&M program that is consistent with\n    FISMA requirements, OMB policy, and applicable NIST guidelines and tracks\n    and monitors known information security weaknesses?\n   Yes\n   If yes, besides the improvement opportunities that may have been identified\n   by the OIG, does the program include the following attributes:\n\n      7.1.1. Documented policies and procedures for managing IT security\n             weaknesses discovered during security control assessments and\n             requiring remediation.\n            Yes\n            Comments: SSA\xe2\x80\x99s policy needed to be updated to reflect the current\n            tools used to monitor and track security weaknesses.\n      7.1.2. Tracks, prioritizes and remediates weaknesses.\n            Yes\n            Comments: We found some IT security risks that were tracked, but\n            not prioritized.\n      7.1.3. Ensures remediation plans are effective for correcting weaknesses.\n            Yes\n      7.1.4. Establishes and adheres to milestone remediation dates.\n            Yes\n            Comments: We noted several POA&Ms that did not include a\n            scheduled completion date.\n      7.1.5. Ensures resources are provided for correcting weaknesses.\n            Yes\n      7.1.6. POA&Ms include security weaknesses discovered during\n             assessments of security controls and requiring remediation. (Do not\n             need to include security weakness due to a Risk Based Decision to\n             not implement a security control).\n            Yes\n      7.1.7. Costs associated with remediating weaknesses are identified.\n            Yes\n      7.1.8. Program officials and contractors report progress on remediation to\n             CIO on a regular basis, at least quarterly, and the CIO centrally\n\n\n\n                                       B-11\n\x0c               tracks, maintains, and independently reviews/validates the POA&M\n               activities at least quarterly.\n               Yes\n7.2.     Please provide any additional information on the effectiveness of the\n         Organization\xe2\x80\x99s POA&M Program that was not noted in the questions above.\n         N/A\n\n Section 8: REMOTE ACCESS MANAGEMENT\n\n\n8.1. Has the Organization established a remote access program that is consistent\n    with FISMA requirements, OMB policy, and applicable NIST guidelines?\n       Yes\n       If yes, besides the improvement opportunities that may have been identified\n       by the OIG, does the program include the following attributes:\n\n         8.1.1. Documented policies and procedures for authorizing, monitoring,\n                and controlling all methods of remote access.\n               Yes\n         8.1.2. Protects against unauthorized connections or subversion of\n                authorized connections.\n               Yes\n         8.1.3. Users are uniquely identified and authenticated for all access.\n               Yes\n         8.1.4. Telecommuting policy is fully developed.\n               Yes\n               Comments: SSA\xe2\x80\x99s revised telework policy was in draft form,\n               pending the resolution of administrative matters.\n         8.1.5. If applicable, multi-factor authentication is required for remote\n                access.\n               Yes\n         8.1.6. Authentication mechanisms meet NIST Special Publication 800-63\n                guidance on remote electronic authentication, including strength\n                mechanisms.\n               Yes\n         8.1.7. Defines and implements encryption requirements for information\n                transmitted across public networks.\n               Yes\n\n\n                                            B-12\n\x0c         8.1.8. Remote access sessions, in accordance to OMB M-07-16, are timed-\n                out after 30 minutes of inactivity after which re-authentication are\n                required.\n               Yes\n               Comments: SSA exceeded best practice since its sessions time-out\n               after 15 minutes of inactivity.\n         8.1.9. Lost or stolen devices are disabled and appropriately reported.\n               Yes\n         8.1.10. Remote access rules of behavior are adequate in accordance with\n                government policies.\n               Yes\n         8.1.11. Remote access user agreements are adequate in accordance with\n                government policies.\n               Yes\n8.2.     Please provide any additional information on the effectiveness of the\n         Organization\xe2\x80\x99s Remote Access Management that was not noted in the\n         questions above.\n         N/A\n\n Section 9: CONTINGENCY PLANNING\n\n\n9.1. Has the Organization established an enterprise-wide business\n    continuity/disaster recovery program that is consistent with FISMA\n    requirements, OMB policy, and applicable NIST guidelines?\n       Yes\n       If yes, besides the improvement opportunities that may have been identified\n       by the OIG, does the program include the following attributes:\n\n         9.1.1. Documented business continuity and disaster recovery policy\n                providing the authority and guidance necessary to reduce the impact\n                of a disruptive event or disaster.\n               Yes\n         9.1.2. The Organization has performed an overall Business Impact Analysis\n                (BIA).\n               Yes\n         9.1.3. Development and documentation of division, component, and IT\n                infrastructure recovery strategies, plans and procedures.\n               Yes\n\n\n                                           B-13\n\x0c       9.1.4. Testing of system specific contingency plans.\n             Yes\n             Comments: The Agency did not conduct contingency plan testing\n             for 2 of the 21 major systems/applications. For one of the\n             applications, the application owners were not aware of the annual\n             testing requirement. For the other application, the application\n             owners were working with the appropriate subject matter experts to\n             integrate their application into SSA\xe2\x80\x99s disaster recovery exercise.\n       9.1.5. The documented business continuity and disaster recovery plans are\n              in place and can be implemented when necessary.\n             Yes\n       9.1.6. Development and fully implementable of test, training, and exercise\n               (TT&E) programs.\n             Yes\n       9.1.7. Performance of regular ongoing testing or exercising of business\n              continuity/disaster recovery plans to determine effectiveness and to\n              maintain current plans.\n             Yes\n       9.1.8. After-action report that addresses issues identified during\n              contingency/disaster recovery exercises.\n             Yes\n       9.1.9. Systems that have alternate processing sites.\n             Yes\n       9.1.10. Alternate processing sites are subject to the same risks as primary\n              sites.\n             Yes\n       9.1.11. Backups of information that are performed in a timely manner.\n             Yes\n       9.1.12. Contingency planning that consider supply chain threats.\n             Yes\n             Comments: SSA\xe2\x80\x99s two data centers will back up each other. SSA\n             considered supply chain threats for one data center, but not the\n             other.\n9.2.   Please provide any additional information on the effectiveness of the\n       Organization\xe2\x80\x99s Contingency Planning Program that was not noted in the\n       questions above.\n       N/A\n\n\n\n                                         B-14\n\x0cSection 10: CONTRACTOR SYSTEMS\n\n\n10.1. Has the Organization established a program to oversee systems operated\n      on its behalf by contractors or other entities, including Organization\n      systems and services residing in the cloud external to the Organization?\n    Yes\n    If yes, besides the improvement opportunities that may have been identified\n    by the OIG, does the program includes the following attributes:\n\n      10.1.1. Documented policies and procedures for information security\n              oversight of systems operated on the Organization\xe2\x80\x99s behalf by\n              contractors or other entities, including Organization systems and\n              services residing in public cloud.\n             Yes\n      10.1.2. The Organization obtains sufficient assurance that security controls\n              of such systems and services are effectively implemented and\n              comply with federal and Organization guidelines.\n             Yes\n             Comments: For 12 of 17 contractor systems identified by our\n             testing, SSA either performed a security authorization or obtained\n             documentation of the systems\xe2\x80\x99 compliance with Federal security\n             guidelines. Three of the contractor systems were operated or\n             owned by other Federal or State agencies. One was operated by a\n             contractor whose services were used by many Federal agencies.\n             SSA believed it was not responsible for performing a security\n             authorization of this contractor system. The remaining contractor\n             system was a Website, located in a public cloud, but did not have\n             the proper security authorization. However, the Website contained\n             non-sensitive, public information, and a link that redirected users to\n             SSA\xe2\x80\x99s secure Website to report fraud allegations.\n      10.1.3. A complete inventory of systems operated on the Organization's\n              behalf by contractors or other entities, including Organization\n              systems and services residing in public cloud.\n             No\n             Comments: We found seven contractor systems that SSA had not\n             identified on its inventory list.\n      10.1.4. The inventory identifies interfaces between these systems and\n              Organization-operated systems.\n             Yes\n\n\n\n\n                                        B-15\n\x0c      10.1.5. The Organization requires appropriate agreements (e.g., MOUs,\n              Interconnection Security Agreements, contracts, etc.) for interfaces\n              between these systems and those that it owns and operates.\n             Yes\n      10.1.6. The inventory of contractor systems is updated at least annually.\n              Yes\n      10.1.7. Systems that are owned or operated by contractors or entities,\n              including Organization systems and services residing in public\n              cloud, are compliant with FISMA requirements, OMB policy, and\n              applicable NIST guidelines.\n              Yes\n              Comments: See comments for Metric 10.1.2.\n10.2. Please provide any additional information on the effectiveness of the\n      Organization\xe2\x80\x99s Contractor Systems Program that was not noted in the\n      questions above.\n      Comments: We found some IT-related contracts did not contain the proper\n      FISMA security clause requirements.\n\nSection 11: SECURITY CAPITAL PLANNING\n\n\n11.1. Has the Organization established a security capital planning and investment\n     program for information security?\n    Yes\n    If yes, besides the improvement opportunities that may have been identified\n    by the OIG, does the program include the following attributes:\n\n      11.1.1. Documented policies and procedures to address information\n              security in the capital planning and investment control (CPIC)\n              process.\n             Yes\n      11.1.2. Includes information security requirements as part of the capital\n              planning and investment process.\n             Yes\n      11.1.3. Establishes a discrete line item for information security in\n              organizational programming and documentation.\n             Yes\n      11.1.4. Employs a business case/Exhibit 300/Exhibit 53 to record the\n              information security resources required.\n\n\n                                         B-16\n\x0c             Yes\n             Comments: We identified inconsistencies in the supporting\n             documents for some line items in Exhibit 53B. For example, some\n             Exhibit 53B numbers were based on budget estimates rather than\n             budget decisions.\n      11.1.5. Ensures that information security resources are available for\n              expenditure as planned.\n             Yes\n11.2. Please provide any additional information on the effectiveness of the\n      Organization\xe2\x80\x99s Security Capital Planning Program that was not noted in the\n      questions above.\n      N/A\n\n\n\n\n                                        B-17\n\x0c                                                                               Appendix C\n\nScope and Methodology\nThe Federal Information Security Management Act of 2002 (FISMA) directs each\nagency\xe2\x80\x99s Inspector General to perform, or have an independent external auditor\nperform, an annual independent evaluation of the agency\xe2\x80\x99s information security\nprograms and practices, as well as a review of an appropriate subset of agency\nsystems. We contracted with Grant Thornton LLP (GT) to audit the Social Security\nAdministration\xe2\x80\x99s (SSA) Fiscal Year (FY) 2012 financial statements. Because of the\nextensive internal control system work that is completed as part of that audit, our FISMA\nreview requirements were incorporated into the GT financial statement audit contract.\nThis evaluation included the Federal Information System Controls Audit Manual level\nreviews of SSA\xe2\x80\x99s financial-related information systems. GT also performed an \xe2\x80\x9cagreed-\nupon procedures\xe2\x80\x9d engagement using FISMA; Department of Homeland Security (DHS)\nFederal Information Security Memorandum 12-02, FY 2012 Reporting Instructions for\nthe Federal Information Security Management Act and Agency Privacy Management;\nNational Institute of Standards and Technology guidance; the Federal Information\nSystem Controls Audit Manual; and other relevant security laws and regulations as a\nframework to complete the Inspector General-required review of SSA\xe2\x80\x99s information\nsecurity program and practices and its information systems.\n\nThe results of our FISMA review are based on our evaluation of GT\xe2\x80\x99s FY 2012 financial\nstatement audit and agreed-upon procedures work papers as well as various audits by\nour office. We also reviewed SSA\xe2\x80\x99s draft 2012 FISMA Chief Information Officer Section\nReport.\n\nOur evaluation followed the DHS FY 2012 FISMA guidance 1 and focused on Risk\nManagement, Configuration Management, Incident Response and Reporting, Security\nTraining, Plan of Action and Milestones, Remote Access Management, Identity and\nAccess Management, Continuous Monitoring Management, Contingency Planning,\nContractor Systems, and Security Capital Planning.\n\nWe performed field work at SSA facilities nationwide from April to October 2012. We\nconsidered the results of our other audits performed in FY 2012. We conducted this\nperformance audit in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe the evidence obtained provides\na reasonable basis for our findings and conclusions based on our audit objectives.\n\n\n1\n  DHS Federal Information Security Memorandum 12-02, FY 2012 Reporting Instructions for the Federal\nInformation Security Management Act and Agency Privacy Management, February 15, 2012.\n\x0c                                                                                     Appendix D\n\nThe Social Security Administration\xe2\x80\x99s Major\nSystems\n                                  System                                             Acronym\n                       General Support Systems 1\n    1   Audit Trail System                                                    ATS\n\n    2   Comprehensive Integrity Review Process                                CIRP\n\n    3   Death Alert Control and Update System                                 DACUS\n\n    4   Debt Management System                                                DMS\n        Enterprise Wide Mainframe & Distributed Network\n    5                                                                         EWANS\n        Telecommunications Services and System\n    6   FALCON Data Entry System                                              FALCON\n\n    7   Human Resources Management Information System                         HRMIS\n\n    8   Integrated Client Database System                                     ICDB\n\n    9   Integrated Disability Management System                               IDMS\n\n10      Quality System                                                        QA\n\n11      Security Management Access Control System                             SMACS\n\n12      Social Security Online Accounting & Reporting System                  SSOARS\n\n13      Social Security Unified Measurement System                            SUMS\n\n                             Major Applications 2\n    1   Electronic Disability System                                          eDib\n\n\n1\n  Office of Management and Budget Circular A-130, Appendix III, Security of Federal Automated\nInformation Resources, Section A.2.c, defines a \xe2\x80\x9cgeneral support system\xe2\x80\x9d or \xe2\x80\x9csystem\xe2\x80\x9d as an\ninterconnected set of information resources under the same direct management control which shares\ncommon functionality.\n2\n  Office of Management and Budget Circular A-130, Appendix III, Security of Federal Automated\nInformation Resources, Section A.2.d, defines a \xe2\x80\x9cmajor application\xe2\x80\x9d as an application that requires special\nattention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or\nunauthorized access to or modification of the information in the application.\n\n\n\n\n                                                   D-1\n\x0c                            System                                       Acronym\n2   Earnings Record Maintenance System                              ERMS\n\n3   National Investigative Case Management System                   NICMS\n\n4   Recovery of Overpayments, Accounting and Reporting System       ROAR\n\n5   Retirement, Survivors, Disability Insurance Accounting System   RSDI ACCTNG\n\n6   Supplemental Security Income Record Maintenance System          SSIRMS\n\n7   Social Security Number Establishment and Correction System      SSNECS\n8   Title II                                                        T2\n\n\n\n\n                                            D-2\n\x0c                                                                         Appendix E\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n   Brian Karpe, Director, Information Technology Audit Division\n   Grace Chi, Audit Manager\nAcknowledgments\nIn addition to those named above:\n\n   Michael Zimmerman, Auditor- in-Charge\n   Tina Nevels, Auditor-in-Charge\n   Asad Isfahani, Auditor\n\nFor additional copies of this report, please visit our Website at http://oig.ssa.gov/ or\ncontact the Office of the Inspector General\xe2\x80\x99s Public Affairs Staff at (410) 965-4518.\nRefer to Common Identification Number A-14-12-12120.\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                  Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                              Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                           Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c"